Smart phones can be rooted to gain privileged or administrative control or access, also called root access, to tools and functions otherwise unavailable. Rooted phones often use file or process hiding techniques such as path or library obfuscation so that unauthorized software is not visible. Unfortunately, malicious software can also be hidden using the same techniques. A common technique for hiding the presence of files or running applications is hooking libraries to block access to certain files. For example, on rooted ANDROID™ phones, one evasion technique is to hook open or status calls on system files. This prevents discovery of what applications are installed, and even prevents discovery of binaries that indicate the presence of malicious software or policy violation. Therefore, there is a need in the art for a solution which overcomes the file or process hiding techniques described above.
In some embodiments, a processor-based method to defeat file and process hiding techniques in a computing device is provided. The method includes generating one of a path permutation, a symlink, or an address, for a path to open or obtain status of a tool or function in a library in a mobile computing device and making an open or status call for the tool or function, using the one of the path permutation, symlink or address. The method includes avoiding a pattern match and blocking, by an injected library, of the open or status call, the avoiding being a result of making the open or status call using the path permutation, symlink or address.
In some embodiments, a method, performed by a processor in a smart phone, to circumvent file and process hiding techniques in rooted phones, is provided. The method includes performing one of permuting a path to open or obtain status of a tool or function in a library or creating a file that points to the tool or function, as a symlink and opening, or obtaining status of, the tool or function, via one of a permuted path from the permuting the path, or the symlink, with which the opening or obtaining status of the tool or function provides capability to circumvent pattern matching and blocking operations of an interposition library.
In some embodiments, a method to access a tool or function in the presence of file and process hiding techniques in mobile computing devices, performed by a processor in a mobile computing device, is provided. The method includes determining a tool or function in a library, to open or obtain status thereof, wherein the tool or function has a first file system path and determining a second file system path, differing in content or syntax from the first file system path. The method includes making an open call or a status call for the tool or function, using the second file system path as one of a path permutation of the first file system path, or a path that invokes a symlink, wherein the using the second file system path confers ability to evade pattern matching and blocking by an injected library of the mobile computing device.
Other aspects and advantages of the embodiments will become apparent from the following detailed description taken in conjunction with the accompanying drawings which illustrate, by way of example, the principles of the described embodiments.